[juliusmusseau]

I don't understand how VirusTotal was able to catch this. I suspect the malware author uploaded it because they wanted to ensure it appeared clean to all malware detectors - VirusTotal is a great way to test that!

It seems VirusTotal is a tool for running 70 anti-virus products at once against the same file. How can VirusTotal catch freshly developed malwares? How would VirusTotal even suspect that an uploaded file was fresh malware? That doesn't make sense to me.

[agnsaft]

VT is more than just the antivirus engines. If you subscribe (expensive!) you can actively hunt for malware using Yara-rules and a powerful search engine. if you know some patterns in malware you are tracking, you can add Yara rules that will run each time a file is uploaded and will notify you of any matches.

Lets assume you know a threat actor always uses the same variable names during heap sprays, you can discover new malware from this threat actor with a Yara rule to look for this pattern.

[_8j50]

Not just using yara rules but any file in VT you can find by hash,name,etc... And you get extra metadata like where it was uploaded from.

[juliusmusseau]

Thanks for the explanation. Very helpful!